mirror of
https://github.com/opnsense/docs
synced 2024-11-17 03:25:33 +00:00
630 lines
35 KiB
ReStructuredText
630 lines
35 KiB
ReStructuredText
===========================================================================================
|
|
20.7 "Legendary Lion" Series
|
|
===========================================================================================
|
|
|
|
|
|
|
|
For five and a half years, OPNsense is driving innovation through modularising
|
|
and hardening the open source firewall, with simple and reliable firmware
|
|
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
|
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
|
|
|
20.7, nicknamed "Legendary Lion", is a major operating system jump forward on
|
|
a sustainable firewall experience. This release adds DHCPv6 multi-WAN, custom
|
|
error pages for the web proxy, Suricata 5, HardenedBSD 12.1, netstat tree view,
|
|
basic firewall API support (via plugin) and extended live log filtering amongst
|
|
others.
|
|
|
|
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
|
can be found below as well.
|
|
|
|
* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
|
|
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
|
|
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
|
|
* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
|
|
* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
|
|
* Full mirror list: https://opnsense.org/download/
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.7.8 (January 19, 2021)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
The particular volume of this stable update foreshadows the end of the 20.7
|
|
series in less than two weeks.
|
|
|
|
One longstanding issue with radvd on FreeBSD 12.1 has been resolved according
|
|
to multiple user feedback.
|
|
|
|
The mailing lists have been archived and will no longer be used.
|
|
|
|
And before there are questions: yes, consumers of the development version are
|
|
now able to upgrade to 21.1-RC1.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: allow to recover from bad TLS certificate and/or bad settings in console interface assign
|
|
* system: display destination port number in firewall log widget (contributed by Team Rebellion)
|
|
* system: keep compatible TLS 1 defaults for web GUI on 20.7 series
|
|
* system: set default certificate lifetime to 397 days
|
|
* firewall: add type 128 to outgoing IPv6 RFC4890 requirements
|
|
* firewall: add manual refresh button to live log
|
|
* firewall: fix typo in ICMPv6 validation
|
|
* firewall: fix minor regression in maintaining target alias file
|
|
* firewall: fix all state value in pfTop (contributed by Lucas Held)
|
|
* firewall: remove duplicated destination field in live log
|
|
* firewall: add read-only actions to aliases permission (contributed by Manuel Faux)
|
|
* firewall: category selector missing caption
|
|
* reporting: add top talkers to revamped traffic graph page
|
|
* reporting: fix name resolution filter change in insight
|
|
* reporting: persist interface selection on traffic graph page
|
|
* captive portal: disable faulty TLS on HTTP since lighttpd 1.4.56
|
|
* dhcp: fix sorting of IPv6 static mappings (contributed by vnxme)
|
|
* dhcp: fix incorrect parsing of DUID (contributed by Matt Holgate)
|
|
* firmware: opnsense-code now updates the current directory if nothing was specified
|
|
* firmware: opnsense-code now uses flexible make.conf target from tools.git
|
|
* firmware: opnsense-update now supports snapshot access via -z option
|
|
* firmware: opnsense-update now fixes missing dependencies on the fly
|
|
* firmware: fix some issues with missing repository on server
|
|
* firmware: add version output and date to audit logs
|
|
* ipsec: display remote host in status overview (contributed by garlic17)
|
|
* opendns: add standalone mode
|
|
* openssh: honour MAX_LISTEN_SOCKS
|
|
* openvpn: set default certificate lifetime to 397 days in wizard
|
|
* unbound: generate all configuration files in service controller
|
|
* unbound: fix broken lines in large files (contributed by kulikov-a)
|
|
* web proxy: lock ACL download to prevent duplicate execution
|
|
* mvc: allow underscore in filter string (contributed by kulikov-a)
|
|
* plugins: os-haproxy 2.26 `[1] <https://github.com/opnsense/plugins/blob/stable/20.7/net/haproxy/pkg-descr>`__
|
|
* plugins: os-hw-probe 1.0 (contributed by Michael Muenz)
|
|
* plugins: os-maltrail fixes sensor start without server (contributed by Julio Camargo)
|
|
* plugins: os-nginx 1.20 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/www/nginx/pkg-descr>`__
|
|
* plugins: os-tinc fixes for latest version (contributed by vnxme)
|
|
* src: fix OpenSSL NULL pointer de-reference `[3] <FREEBSD:FreeBSD-SA-20:33.openssl>`__
|
|
* src: fix partial scrub of multicast packages
|
|
* src: free full mbuf chains in iflib when draining transmit queues
|
|
* src: initialize oifp to avoid bogus results/panics in edge cases
|
|
* src: 10Gigabit Ethernet driver for AMD SoC
|
|
* ports: libressl 3.2.3 `[4] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.2-relnotes.txt>`__ `[5] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.3-relnotes.txt>`__
|
|
* ports: nss 3.60.1
|
|
* ports: php 7.3.26 `[6] <https://www.php.net/ChangeLog-7.php#7.3.26>`__
|
|
* ports: pkg fix for shell keyword by opening root file descriptor
|
|
* ports: radvd 2.19 `[7] <https://radvd.litech.org/CHANGES.txt>`__
|
|
* ports: sudo 1.9.5p1 `[8] <https://www.sudo.ws/stable.html#1.9.5p1>`__
|
|
|
|
A hotfix release was issued as 20.7.8_4:
|
|
|
|
* firmware: enable upgrade path to 21.1
|
|
* ports: sudo 1.9.5p2 `[9] <https://www.sudo.ws/stable.html#1.9.5p2>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.7.7 (December 17, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
Important security updates inside. Also: happy holidays!
|
|
|
|
Here are the full patch notes:
|
|
|
|
* reporting: fix traffic graph widget link issue
|
|
* system: simplify log format parsing
|
|
* interfaces: fix DUID LL description (contributed by Gabriel Mazzocato)
|
|
* unbound: fix dnsbl not reloading after update
|
|
* plugins: os-acme-client 2.2 `[1] <https://github.com/opnsense/plugins/blob/stable/20.7/security/acme-client/pkg-descr>`__
|
|
* plugins: os-freeradius 1.9.9 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/net/freeradius/pkg-descr>`__
|
|
* plugins: os-frr 1.20 `[3] <https://github.com/opnsense/plugins/blob/stable/20.7/net/frr/pkg-descr>`__
|
|
* plugins: os-tinc 1.6 enables multiple addresses per host (contributed by ElNounch)
|
|
* plugins: os-wireguard 1.4 `[4] <https://github.com/opnsense/plugins/blob/stable/20.7/net/wireguard/pkg-descr>`__
|
|
* ports: curl 7.74.0 `[5] <https://curl.se/changes.html#7_74_0>`__
|
|
* ports: dhcp6c ignores advertise messages with none of requested data and missed status codes
|
|
* ports: libressl 3.1.5 `[6] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.5-relnotes.txt>`__
|
|
* ports: lighttpd 1.4.56 `[7] <https://www.lighttpd.net/2020/11/29/1.4.56/>`__
|
|
* ports: nss 3.60 `[8] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_60.html>`__
|
|
* ports: openssl 1.1.1i `[9] <https://www.openssl.org/news/secadv/20201208.txt>`__
|
|
* ports: pcre2 10.36 `[10] <https://www.pcre.org/changelog.txt>`__
|
|
* ports: sudo 1.9.4 `[11] <https://www.sudo.ws/stable.html#1.9.4>`__
|
|
* ports: sqlite 3.34.0 `[12] <https://sqlite.org/releaselog/3_34_0.html>`__
|
|
* ports: unbound 1.13.0 `[13] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-13-0>`__
|
|
|
|
A hotfix release was issued as 20.7.7_1:
|
|
|
|
* system: disable TLS on plain HTTP redirect for new lighttpd version
|
|
* ports: unbound fix for segmentation fault (restart service to activate)
|
|
* ports: lighttpd 1.4.58 `[14] <https://www.lighttpd.net/2020/12/27/1.4.58/>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.7.6 (December 08, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
This update brings the usual mix of reliability fixes, plugin and third party
|
|
software updates: FreeBSD, HardenedBSD, PHP, OpenSSH, StrongSwan, Suricata and
|
|
Syslog-ng amongst others.
|
|
|
|
Please note that Let's Encrypt users need to reissue their certificates
|
|
manually after upgrading to this version to fix the embedded certificate chain
|
|
issue with the current signing CA switch going on.
|
|
|
|
The mail backup plugin is currently not available pending a response from
|
|
the maintainer. Users are advised to avoid using it for the moment.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: no longer enforce alias names in gateways
|
|
* system: add "step into" icon on log lines when filtering
|
|
* system: add current CPU load progress bar (contributed by kulikov-a)
|
|
* firewall: allow larger selection in live log
|
|
* firewall: correctly select current IPv6 field in getInterfaceGateway()
|
|
* firewall: add validation for ipv6-icmp combined with inet
|
|
* reporting: traffic graph replacement using iftop
|
|
* openvpn: calculate first network address as gateway address when only ifconfig_local is given
|
|
* web proxy: throw startup error to user
|
|
* plugins: os-acme-client 2.1 `[1] <https://github.com/opnsense/plugins/blob/stable/20.7/security/acme-client/pkg-descr>`__
|
|
* plugins: os-frr 1.19 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/net/frr/pkg-descr>`__
|
|
* plugins: os-mail-backup not available due to unaddressed security concerns
|
|
* src: fix parsing of netmap legacy nmr->nr_ringid
|
|
* src: fix mutex double unlock bug in netmap
|
|
* src: minor misc netmap improvements
|
|
* src: improve netmap(4) and vale(4) man pages
|
|
* src: IPV6_PKTINFO support for v4-mapped IPv6 sockets
|
|
* src: zero-initialize variables in HBSD PaX SEGVGUARD
|
|
* src: fix execve/fexecve system call auditing `[3] <FREEBSD:FreeBSD-EN-20:19.audit>`__
|
|
* src: fix uninitialized variable in ipfw `[4] <FREEBSD:FreeBSD-EN-20:21.ipfw>`__
|
|
* src: fix race condition in callout CPU migration `[5] <FREEBSD:FreeBSD-EN-20:22.callout>`__
|
|
* src: fix ICMPv6 use-after-free in error message handling `[6] <FREEBSD:FreeBSD-SA-20:31.icmp6>`__
|
|
* src: fix multiple vulnerabilities in rtsold `[7] <FREEBSD:FreeBSD-SA-20:32.rtsold>`__
|
|
* src: update timezone database information `[8] <FREEBSD:FreeBSD-EN-20:20.tzdata>`__
|
|
* ports: krb5 1.18.3 `[9] <https://web.mit.edu/kerberos/krb5-1.18/>`__
|
|
* ports: nss 3.59 `[10] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_59.html>`__
|
|
* ports: openldap 2.4.56 `[11] <https://www.openldap.org/software/release/changes.html>`__
|
|
* ports: openssh 8.4p1 `[12] <https://www.openssh.com/txt/release-8.4>`__
|
|
* ports: php 7.3.25 `[13] <https://www.php.net/ChangeLog-7.php#7.3.25>`__
|
|
* ports: strongswan 5.9.1 `[14] <https://wiki.strongswan.org/versions/79>`__
|
|
* ports: suricata 5.0.5 `[15] <https://suricata-ids.org/2020/12/04/suricata-6-0-1-5-0-5-and-4-1-10-released/>`__
|
|
* ports: syslog-ng 3.30.1 `[16] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.30.1>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.7.5 (November 20, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
We return briefly for a small patch set and plan to pin the 20.1 upgrade
|
|
path to this particular version to avoid unnecessary stepping stones. We
|
|
wish you all a healthy Friday. And of course: patch responsibly!
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: syslog-ng related fixes during package management based restart
|
|
* system: change dpinger syslog message to reflect correct RTT and RTTd unit (contributed by fhloston)
|
|
* web proxy: add toggle for pinger service (contributed by nowyouseeit)
|
|
* web proxy: add missing X-Forwarded-For header option
|
|
* mvc: new Base64Field type
|
|
* mvc: new VirtualIPField type
|
|
* plugins: os-acme-client 2.0 `[1] <https://github.com/opnsense/plugins/blob/stable/20.7/security/acme-client/pkg-descr>`__
|
|
* plugins: os-bind 1.14 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/dns/bind/pkg-descr>`__
|
|
* plugins: os-chrony 1.1 `[3] <https://github.com/opnsense/plugins/blob/stable/20.7/net/chrony/pkg-descr>`__
|
|
* ports: monit 5.27.1 `[4] <https://mmonit.com/monit/changes/>`__
|
|
* ports: php 7.3.24 `[5] <https://www.php.net/ChangeLog-7.php#7.3.24>`__
|
|
* ports: pkg upstream fix for upgrade script hang `[6] <https://github.com/freebsd/pkg/pull/1893>`__
|
|
* ports: strongswan 5.9.0 `[7] <https://www.strongswan.org/blog/2020/07/29/strongswan-5.9.0-released.html>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.7.4 (October 22, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
This release finally wraps up the recent Netmap kernel changes and tests.
|
|
The Realtek vendor driver was updated as well as third party software cURL,
|
|
libxml, OpenSSL, PHP, Suricata, Syslog-ng and Unbound just to name a couple
|
|
of them.
|
|
|
|
We would like to thank Sunny Valley Networks for their relentless efforts
|
|
to bring said Netmap fixes and improvements into FreeBSD.
|
|
|
|
If you are having trouble with a stuck update try the command sequence below
|
|
from the root shell or simply reboot from the GUI and rerun the update in
|
|
case it was not fully carried out yet.
|
|
|
|
.. code-block::
|
|
|
|
# pkill syslog-ng
|
|
# service syslog-ng restart
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: switch web GUI address selection to avoid server.bind in IPv6 first case
|
|
* system: fix defunct "use default" button on web GUI listen interfaces
|
|
* system: signal "auth user changed" when a user is modified via web GUI
|
|
* system: replace gateway widget and add proper API endpoint for it
|
|
* system: fix reading displayName attribute on LDAP search (contributed by ServiusHack)
|
|
* interfaces: change maximum MTU value to 65535 in accordance with RFC 791
|
|
* interfaces: update wireless device detection prefixes
|
|
* interfaces: lexical sort interface keys for assignments
|
|
* firewall: add support for network exclusions in network alias type
|
|
* firewall: add NAT information to pfInfo page (contributed by kulikov-a)
|
|
* firewall: associated NAT rules missed state keyword
|
|
* firewall: allow "or" conditions in live log
|
|
* firewall: use pfctl for alias IP check (contributed by kulikov-a)
|
|
* dnsmasq: regenerate resolv.conf on save
|
|
* dnsmasq: log queries option
|
|
* intrusion detection: ignore pkill exit status when performing update
|
|
* ipsec: add description to reconfigure action (contributed by Frank Wall)
|
|
* unbound: rebuild unbound blacklist download
|
|
* unbound: restructure reconfigure so that we always flush config
|
|
* backend: add new "config changed" event using syshook structure (sponsored by Modirum)
|
|
* mvc: add a few missing control widgets from log pages
|
|
* ui: upgrade moment.js to 2.27.0
|
|
* plugins: os-freeradius 1.9.8 `[1] <https://github.com/opnsense/plugins/blob/stable/20.7/net/freeradius/pkg-descr>`__
|
|
* plugins: os-git-backup 1.0 `[2] <https://github.com/opnsense/plugins/issues/2049>`__ (sponsored by Modirum)
|
|
* plugins: os-haproxy 2.25 `[3] <https://curl.se/changes.html#7_73_0>`__
|
|
* plugins: os-stunnel 1.0.2 adds service protocol selector (contributed by fhloston)
|
|
* src: extended netmap update and driver fixes
|
|
* src: netmap tun and lagg support (contributed by Sunny Valley Networks)
|
|
* src: update Realtek re driver to upstream version 1.96.04 (contributed by Laurent Dinclaux)
|
|
* ports: curl 7.73.0 `[3] <https://curl.se/changes.html#7_73_0>`__
|
|
* ports: libxml fixes for CVE-2019-20388, CVE-2020-7595 and CVE-2020-24977
|
|
* ports: nss 3.58 `[4] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_58.html>`__
|
|
* ports: openssl 1.1.1h `[5] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
|
|
* ports: php 7.3.23 `[6] <https://www.php.net/ChangeLog-7.php#7.3.23>`__
|
|
* ports: pkg 1.15.10
|
|
* ports: radvd patch for dynamic interface shifting index
|
|
* ports: sudo 1.9.3p1 `[7] <https://www.sudo.ws/stable.html#1.9.3p1>`__
|
|
* ports: suricata 5.0.4 `[8] <https://suricata-ids.org/2020/10/08/suricata-4-1-9-and-5-0-4-released/>`__
|
|
* ports: syslog-ng 3.29.1 `[9] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.29.1>`__
|
|
* ports: unbound 1.12.0 `[10] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-12-0>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.7.3 (September 24, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
Today is the day for a number of FreeBSD security advisories and a few
|
|
reliability fixes.
|
|
|
|
We are still testing a batch of Netmap improvement patches with a separate
|
|
kernel. This and the Realtek vendor driver update will likely follow in
|
|
the next kernel update. All feedback is welcome.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: use different shell gateway name to appease wizard
|
|
* system: simplify CARP hook
|
|
* interfaces: phase out netaddr.eui.ieee.OUI_REGISTRY_PATH usage
|
|
* firewall: add MAC type to top right filter selection
|
|
* firewall: fix two scrub rule parsing bugs
|
|
* firewall: omit group type interfaces in filter selection
|
|
* intrusion detection: re-create rule cache after rule deployment
|
|
* unbound: add "unbound-plus" section to XMLRPC sync
|
|
* dhcp: adding DDNS values of each additional pool to the $ddns_zones array (contributed by Mathieu St-Pierre)
|
|
* dhcp: add static interface mode to router advertisements
|
|
* rc: fix ssh key permissions on MSDOS import
|
|
* rc: support service identifier in pluginctl -s mode
|
|
* plugins: os-bind download link changes (contributed by gap579137)
|
|
* plugins: os-chrony 1.0 (contributed by Michael Muenz)
|
|
* plugins: os-dnscrypt-proxy blocklist script fixes (contributed by Mark Keisler)
|
|
* plugins: os-frr 1.17 `[1] <https://github.com/opnsense/plugins/blob/stable/20.7/net/frr/pkg-descr>`__
|
|
* plugins: os-postfix 1.17 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/mail/postfix/pkg-descr>`__
|
|
* plugins: os-rspamd 1.10 `[3] <https://github.com/opnsense/plugins/blob/stable/20.7/mail/rspamd/pkg-descr>`__
|
|
* plugins: os-theme-cicada 1.25 (contributed by Team Rebellion)
|
|
* plugins: os-theme-tukan 1.23 (contributed by Team Rebellion)
|
|
* plugins: os-theme-vicuna 1.1 (contributed by Team Rebellion)
|
|
* plugins: os-wireguard 1.3 `[4] <https://github.com/opnsense/plugins/blob/stable/20.7/net/wireguard/pkg-descr>`__
|
|
* plugins: os-zabbix-agent 1.8 `[5] <https://github.com/opnsense/plugins/blob/stable/20.7/net-mgmt/zabbix-agent/pkg-descr>`__
|
|
* src: fix FreeBSD Linux ABI kernel panic `[6] <FREEBSD:FreeBSD-EN-20:17.linuxthread>`__
|
|
* src: fix SCTP socket use-after-free `[7] <FREEBSD:FreeBSD-SA-20:25.sctp>`__
|
|
* src: fix dhclient heap overflow `[8] <FREEBSD:FreeBSD-SA-20:26.dhclient>`__
|
|
* src: fix ure device driver susceptible to packet-in-packet attack `[9] <FREEBSD:FreeBSD-SA-20:27.ure>`__
|
|
* src: fix bhyve privilege escalation via VMCS access `[10] <FREEBSD:FreeBSD-SA-20:28.bhyve_vmcs>`__
|
|
* src: fix bhyve SVM guest escape `[11] <FREEBSD:FreeBSD-SA-20:29.bhyve_svm>`__
|
|
* src: fix ftpd privilege escalation via ftpchroot `[12] <FREEBSD:FreeBSD-SA-20:30.ftpd>`__
|
|
* src: set PAX_HARDENING_NOSHLIBRANDOM in the RTLD by default
|
|
* src: fix kernel panic while trying to read multicast stream
|
|
* ports: mpd 5.9 `[13] <http://mpd.sourceforge.net/doc5/mpd4.html#4>`__
|
|
* ports: nss 3.57 `[14] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_57.html>`__
|
|
* ports: php 7.3.22 `[15] <https://www.php.net/ChangeLog-7.php#7.3.22>`__
|
|
* ports: pkg 1.15.6 `[16] <https://github.com/freebsd/freebsd-ports/commit/fd4f5566aea>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.7.2 (September 02, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
While we are still looking closer at netmap/iflib performance on 12.1 we
|
|
are rolling out a kernel with Intel em/igb updates that should avoid bad
|
|
packet counts in the default installation. Syslog-ng received a workaround
|
|
for the diagnosed startup issue and alias now supports MAC address content
|
|
similar to how host content works.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: set REQUESTS_CA_BUNDLE in environments
|
|
* system: improve parsing for temperature sensors
|
|
* system: add "new-password" hint for Chrome on login form
|
|
* system: rename syslog services description and hide legacy mode when not enabled
|
|
* system: force syslog-ng restart after boot sequence
|
|
* system: properly read new style logging directories
|
|
* reporting: replace line endings when sending traceback to syslog in flowd_aggregate
|
|
* reporting: add traffic graph filter for private IPv4 networks (contributed by kcaj-burr)
|
|
* firewall: add MAC address alias type
|
|
* firewall: be more verbose when fetching alias remote content
|
|
* firewall: prevent pfctl error messages from being suppressed
|
|
* firewall: exclude all reserved pf.conf keywords from alias name
|
|
* firewall: bogons not loaded on initial load
|
|
* firewall: reset damaged bogons files on startup
|
|
* interfaces: add listen-queue-sizes in socket diagnostics
|
|
* firmware: properly report an unsigned repository
|
|
* firmware: revoke 20.1 fingerprint
|
|
* intrusion detection: rule cache parse error on invalid metadata
|
|
* intrusion detection: allow search for status enabled/disabled
|
|
* web proxy: correct template replacement during build time
|
|
* web proxy: bugfix in JSON access log
|
|
* unbound: updated project block lists links (contributed by gap579137)
|
|
* backend: add regex_replace template support
|
|
* plugins: os-acme-client 1.36 `[1] <https://github.com/opnsense/plugins/pull/1974>`__
|
|
* plugins: os-dyndns 1.23 adds Gandi LiveDNS support (contributed by vizion8-dan)
|
|
* plugins: os-haproxy 2.24 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/net/haproxy/pkg-descr>`__
|
|
* plugins: os-stunnel 1.0.1 includes performance tweaks
|
|
* plugins: os-telegraf 1.8.2 `[3] <https://github.com/opnsense/plugins/blob/stable/20.7/net-mgmt/telegraf/pkg-descr>`__
|
|
* plugins: os-tinc fixes cipher parsing on 20.7
|
|
* src: remove ACPI workaround for serial console on AMD EPYC
|
|
* src: Make pf.conf ":0" ignore link-local v6 addresses too
|
|
* src: default "show bad packets" tunable to off in e100 driver
|
|
* src: fix unsolicited promisc mode in e1000 driver
|
|
* src: add valectl to the system commands
|
|
* ports: ca_root_nss/nss 3.56 `[4] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_56.html>`__
|
|
* ports: curl 7.72.0 `[5] <https://curl.se/changes.html#7_72_0>`__
|
|
* ports: libressl 3.1.4 `[6] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.4-relnotes.txt>`__
|
|
* ports: openldap 2.4.51 `[7] <https://www.openldap.org/software/release/changes.html>`__
|
|
* ports: php 7.3.21 `[8] <https://www.php.net/ChangeLog-7.php#7.3.21>`__
|
|
* ports: python 3.7.9 `[9] <https://docs.python.org/release/3.7.9/whatsnew/changelog.html>`__
|
|
* ports: sqlite 3.33.0 `[10] <https://sqlite.org/releaselog/3_33_0.html>`__
|
|
* ports: squid 4.13 `[11] <http://www.squid-cache.org/Versions/v4/squid-4.13-RELEASENOTES.html>`__
|
|
* ports: syslog-ng dlsym() workaround
|
|
* ports: unbound 1.11.0 `[12] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-11-0>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.7.1 (August 13, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
Small update here with security advisories, multicast fixes and logging
|
|
reliability patches amongst others.
|
|
|
|
Overall, the jump to HardenedBSD 12.1 is looking promising from our end.
|
|
From the reported issues we still have more logging quirks to investigate
|
|
and especially Netmap support (used in IPS and Sensei) is lacking in some
|
|
areas that were previously working. Patches are being worked on already
|
|
so we shall get there soon enough. Stay tuned.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: split log process name into separate column
|
|
* system: filter new style log directories accordingly
|
|
* system: add delay to improve syslog-ng startup
|
|
* system: properly switch login page to latest jQuery 3.5.1
|
|
* firewall: add select boxes for static filters in live log
|
|
* firmware: ignore mandoc.db files in health output as the system will regenerate them weekly
|
|
* firmware: bring back Chinese Aivian mirror
|
|
* firmware: remove defunct opn.sense.nz and RageNetwork mirrors
|
|
* web proxy: add JSON output following Elastic Common Schema (sponsored by Incenter Technology)
|
|
* backend: cap log messages to 4000 characters to prevent longer messages from vanishing
|
|
* plugins: os-acme-client 1.35 `[1] <https://github.com/opnsense/plugins/pull/1950>`__
|
|
* plugins: os-frr 1.15 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/net/frr/pkg-descr>`__
|
|
* plugins: os-postfix 1.15 `[3] <https://github.com/opnsense/plugins/blob/stable/20.7/mail/postfix/pkg-descr>`__
|
|
* plugins: os-udpbroadcastrelay 1.0 (contributed by Team Rebellion)
|
|
* src: set the current VNET before calling netisr_dispatch() in ng_iface(4)
|
|
* src: assorted multicast group join/leave corrections
|
|
* src: fix vmx driver packet loss and degraded performance `[4] <FREEBSD:FreeBSD-EN-20:16.vmx>`__
|
|
* src: fix memory corruption in USB network device driver `[5] <FREEBSD:FreeBSD-SA-20:21.usb_net>`__
|
|
* src: fix multiple vulnerabilities in sqlite `[6] <FREEBSD:FreeBSD-SA-20:22.sqlite>`__
|
|
* src: fix sendmsg(2) privilege escalation `[7] <FREEBSD:FreeBSD-SA-20:23.sendmsg>`__
|
|
* ports: perl 5.32.0 `[8] <https://perldoc.perl.org/5.32.0/perldelta>`__
|
|
* ports: squid 4.12 `[9] <http://www.squid-cache.org/Versions/v4/squid-4.12-RELEASENOTES.html>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.7 (July 30, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
For five and a half years, OPNsense is driving innovation through modularising
|
|
and hardening the open source firewall, with simple and reliable firmware
|
|
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
|
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
|
|
|
20.7, nicknamed "Legendary Lion", is a major operating system jump forward on
|
|
a sustainable firewall experience. This release adds DHCPv6 multi-WAN, custom
|
|
error pages for the web proxy, Suricata 5, HardenedBSD 12.1, netstat tree view,
|
|
basic firewall API support (via plugin) and extended live log filtering amongst
|
|
others.
|
|
|
|
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
|
can be found below as well.
|
|
|
|
* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
|
|
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
|
|
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
|
|
* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
|
|
* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
|
|
* Full mirror list: https://opnsense.org/download/
|
|
|
|
Here are the full patch notes against version 20.7-RC1:
|
|
|
|
* system: syslog-ng RFC5424 on FreeBSD 12 needs flags(syslog-protocol)
|
|
* installer: welcome users as genuine 20.7 installer
|
|
* web proxy: do not try to force cachemanager access to use ICAP
|
|
* plugins: os-collectd 1.3 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/net-mgmt/collectd/pkg-descr>`__
|
|
* plugins: os-zabbix5-proxy 1.3 `[3] <https://github.com/opnsense/plugins/blob/stable/20.7/net-mgmt/zabbix5-proxy/pkg-descr>`__
|
|
* src: prevent netgraph page fault for LTE usage
|
|
* ports: dnsmasq 2.82 `[4] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
|
|
* ports: monit 5.27.0 `[5] <https://mmonit.com/monit/changes/>`__
|
|
* ports: nss 3.55 `[6] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_55.html>`__
|
|
* ports: sudo 1.9.2 `[7] <https://www.sudo.ws/stable.html#1.9.2>`__
|
|
|
|
Known issues and limitations:
|
|
|
|
* legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp are no longer available
|
|
* i386 architecture builds are no longer available
|
|
|
|
The public key for the 20.7 series is:
|
|
|
|
.. code-block::
|
|
|
|
# -----BEGIN PUBLIC KEY-----
|
|
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAngIbBcRin9AmDSOsjpft
|
|
# 7aK52TLkOzRc94NqKKnn6ALd6poEuFqYl1tfNT6XumBJDsRL1s56UYfjS8zpvFW3
|
|
# HdzKOv4YtIln6qUuC1w8TXYNprasB/laYoBn2xeCGX5L6carlujQ+h0rsj+kpawr
|
|
# E0/d6oRzR69cxQyoDQHD559Wv4nA795M6QGDhhl3dDq/92gzrrq3C5gJ7ldHi13c
|
|
# inM2Fw+oPUfEIWUt/sqUTZheEk0Df3LSiJlgjQDhjh5uujTLgvX8IzfYAb8clgY3
|
|
# DplgOh4ReoFnx6XVERSPa91ZJGeCV4dTGD2hU40rzU1lkQaiVUITLsfjrYUsNMEo
|
|
# jdG+ndGIPTOrwXH4yGRZuUZZ612ALtO6bd4V1kAOLOS07mo4JB4poEbbB0lvZJSG
|
|
# iTmU9od8zutnLkD66Q/qI8e6OcL0yqjwwG9DzCKg23M6cVWfyBTJhKoqQyhNWnzZ
|
|
# bzvgOXfhOA8jn8FPChaU5OiIrv+g56pQrWKcQsvgQMqlyR+/AFSIrrqprCjDkfOG
|
|
# bxFqTGkPb1n32nbnXJOA5Z43G9/PtBV8lvaEzli6Vehh+Zrcuy8yupbiVWSqTOfp
|
|
# E5cYAmrlDkxKyAlZQtH6EhMF1VBQRrlqGhss5XYoE3DQDqWdhUbGv8Qiiv7ROCza
|
|
# SIMuSzc6u35MooDRDZF4Ba0CAwEAAQ==
|
|
# -----END PUBLIC KEY-----
|
|
|
|
|
|
|
|
.. code-block::
|
|
|
|
# SHA256 (OPNsense-20.7-OpenSSL-dvd-amd64.iso.bz2) = 580070a3a0533418d58eaeb78122f804f2df7081c929288e1dccee34c4bf763a
|
|
# SHA256 (OPNsense-20.7-OpenSSL-nano-amd64.img.bz2) = 6deb370c2a64fa6c60b7f59a4afb31b2dd28b812f5fcd59eaa6d458938d45630
|
|
# SHA256 (OPNsense-20.7-OpenSSL-serial-amd64.img.bz2) = 1276cddd5f7b89aa54fc4a1517cb0686efe94f672627243c5b34d93340441d60
|
|
# SHA256 (OPNsense-20.7-OpenSSL-vga-amd64.img.bz2) = 72cbffe3bba4884586c8ded8dbca4cf30fb34a094602e5f681efde2deea595c6
|
|
|
|
--------------------------------------------------------------------------
|
|
20.7.r1 (July 21, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
For five and a half years, OPNsense is driving innovation through modularising
|
|
and hardening the open source firewall, with simple and reliable firmware
|
|
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
|
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
|
|
|
We thank all of you for helping test, shape and contribute to the project!
|
|
We know it would not be the same without you. <3
|
|
|
|
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
|
can be found below as well.
|
|
|
|
* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
|
|
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
|
|
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
|
|
* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
|
|
* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
|
|
* Full mirror list: https://opnsense.org/download/
|
|
|
|
Here are the full patch notes against 20.1.8_1:
|
|
|
|
* system: allow to optionally disable legacy logging (clog)
|
|
* system: do not allow login redirects to visit external pages
|
|
* system: add new "auth user changed" config event and hook it into LDAP updatePolicies()
|
|
* system: adapt to 3wire serial console setting
|
|
* system: figure out which sysctls are writeable before attempting to write them
|
|
* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by Alphakilo)
|
|
* system: disable PCRE JIT in PHP config
|
|
* system: clean up start / stop beep handler
|
|
* interfaces: improved VLAN handling and defaults for more stable netmap use on 12.1
|
|
* interfaces: support DHCPv6 multi-WAN (contributed by Team Rebellion)
|
|
* interfaces: show delegated prefix in overview (contributed by Team Rebellion)
|
|
* interfaces: DHCPv4 no-release and debug options moved to global interface settings
|
|
* interfaces: automatically register loopback device lo0
|
|
* firewall: handle new net.pf.request_maxcount system limit accordingly
|
|
* firewall: properly evaluate and execute gateway monitoring kill states feature
|
|
* firewall: add the iplen option to shaper rules (contributed by Maxfield Allison)
|
|
* firewall: show partial alias content in tooltip
|
|
* firewall: translated static log overview page to MVC
|
|
* firewall: aliases now show internal aliases
|
|
* firewall: validate if NAT destination contains a port
|
|
* firewall: prevent config_read_array() from adding an empty lo0
|
|
* firmware: added fingerprint for 20.7 series
|
|
* firmware: hint at missing plugins and request to install or dismiss
|
|
* intrusion detection: extend rule search with metadata and show results on rule info
|
|
* intrusion detection: updated pattern options (contributed by Xeroxxx)
|
|
* intrusion detection: synchronize suricata.yaml with default template
|
|
* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by mikahe)
|
|
* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by mikahe)
|
|
* unbound: integrate functionality formerly known as "unbound-plus" plugin (contributed by Michael Muenz)
|
|
* web proxy: support for custom error pages (sponsored by Incenter Technology)
|
|
* web proxy: add connect_timeout (contributed by Michael Muenz)
|
|
* web proxy: allow PURGE on cache (contributed by sazb)
|
|
* web proxy: add missing IPv6 listener
|
|
* mvc: add "S" option for AllowDynamic in InterfaceField type
|
|
* mvc: LegacyLinkField not allowed to return null in __toString()
|
|
* backend: add safeguard for illegal configd settings leading to overrides on the same command leaf
|
|
* backend: emove undocumented and unused alias support
|
|
* mvc: support virtual nodes in model instances
|
|
* rc: implement inline variables for skip and defer service start
|
|
* ui: unify edit dialog and add onBeforeRenderDialog event deferrable
|
|
* ui: use firewall groups to group interfaces menu accordingly
|
|
* ui: moved virtual IP menu entry to interfaces
|
|
* ui: jQuery 3.5.1
|
|
* plugins: os-dyndns 1.22 `[2] <https://github.com/opnsense/plugins/pull/1654>`__
|
|
* plugins: os-intrusion-detection-content-et-pro 1.0.2 switches to Suricata 5 rules
|
|
* plugins: os-telegraf 1.8.1 `[3] <https://github.com/opnsense/plugins/blob/stable/20.7/net-mgmt/telegraf/pkg-descr>`__
|
|
* plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion)
|
|
* plugins: os-tinc fixes switch mode `[4] <https://github.com/opnsense/plugins/pull/1733>`__
|
|
* plugins: os-wireguard 1.2 `[5] <https://github.com/opnsense/plugins/pull/1865>`__
|
|
* src: HardenedBSD 12.1-p7
|
|
* ports: ca_root_nss 3.54
|
|
* ports: curl 7.71.1 `[6] <https://curl.se/changes.html#7_71_1>`__
|
|
* ports: php 7.3.20 `[7] <https://www.php.net/ChangeLog-7.php#7.3.20>`__
|
|
* ports: python 3.7.8 `[8] <https://docs.python.org/release/3.7.8/whatsnew/changelog.html>`__
|
|
* ports: sqlite 3.32.3 `[9] <https://sqlite.org/releaselog/3_32_3.html>`__
|
|
* ports: suricata 5.0.3 `[10] <https://suricata-ids.org/2020/04/28/suricata-5-0-3-released/>`__
|
|
|
|
Known issues and limitations:
|
|
|
|
* Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp will no longer be available
|
|
* i386 architecture builds will no longer be available
|
|
* Installer still advertises 20.1
|
|
|
|
The public key for the 20.7 series is:
|
|
|
|
.. code-block::
|
|
|
|
# -----BEGIN PUBLIC KEY-----
|
|
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAngIbBcRin9AmDSOsjpft
|
|
# 7aK52TLkOzRc94NqKKnn6ALd6poEuFqYl1tfNT6XumBJDsRL1s56UYfjS8zpvFW3
|
|
# HdzKOv4YtIln6qUuC1w8TXYNprasB/laYoBn2xeCGX5L6carlujQ+h0rsj+kpawr
|
|
# E0/d6oRzR69cxQyoDQHD559Wv4nA795M6QGDhhl3dDq/92gzrrq3C5gJ7ldHi13c
|
|
# inM2Fw+oPUfEIWUt/sqUTZheEk0Df3LSiJlgjQDhjh5uujTLgvX8IzfYAb8clgY3
|
|
# DplgOh4ReoFnx6XVERSPa91ZJGeCV4dTGD2hU40rzU1lkQaiVUITLsfjrYUsNMEo
|
|
# jdG+ndGIPTOrwXH4yGRZuUZZ612ALtO6bd4V1kAOLOS07mo4JB4poEbbB0lvZJSG
|
|
# iTmU9od8zutnLkD66Q/qI8e6OcL0yqjwwG9DzCKg23M6cVWfyBTJhKoqQyhNWnzZ
|
|
# bzvgOXfhOA8jn8FPChaU5OiIrv+g56pQrWKcQsvgQMqlyR+/AFSIrrqprCjDkfOG
|
|
# bxFqTGkPb1n32nbnXJOA5Z43G9/PtBV8lvaEzli6Vehh+Zrcuy8yupbiVWSqTOfp
|
|
# E5cYAmrlDkxKyAlZQtH6EhMF1VBQRrlqGhss5XYoE3DQDqWdhUbGv8Qiiv7ROCza
|
|
# SIMuSzc6u35MooDRDZF4Ba0CAwEAAQ==
|
|
# -----END PUBLIC KEY-----
|
|
|
|
Please let us know about your experience!
|
|
|
|
|
|
|
|
.. code-block::
|
|
|
|
# SHA256 (OPNsense-20.7.r1-OpenSSL-dvd-amd64.iso.bz2) = d54dca6390497d45b831f68f352fccf84881aac78a360247965e5c9b36fbfded
|
|
# SHA256 (OPNsense-20.7.r1-OpenSSL-nano-amd64.img.bz2) = f78d51d53bf663df2d49a3724812893d8c55234ab8d4a9232663fa581496edbe
|
|
# SHA256 (OPNsense-20.7.r1-OpenSSL-serial-amd64.img.bz2) = 984f8c9d63598f061cc8995245dea73703532c1bb688ac87cdb1e510fb53b80e
|
|
# SHA256 (OPNsense-20.7.r1-OpenSSL-vga-amd64.img.bz2) = 711811e0a7d37d323a060c52590daa9f024e77c6da627530c6596367a09b412d
|